You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by "Dennis E. Hamilton" <or...@apache.org> on 2016/04/05 19:36:25 UTC
[DISCUSS][VOTE] Release Groovy UNO Extension 0.1.4
Side question.
> -----Original Message-----
> From: Carl Marcum [mailto:cmarcum@apache.org]
> Sent: Tuesday, April 5, 2016 04:07
> To: dev@openoffice.apache.org
> Subject: [VOTE] Release Groovy UNO Extension 0.1.4
>
> This is for a source release of Groovy UNO Extension 0.1.4 from Apache
> OpenOffice
> and binaries made available from Maven via Apache Nexus.
>
> Source packages for RC1 are available at:
> https://dist.apache.org/repos/dist/dev/openoffice/devtools/
> and the reference revision is r1737622.
>
> Binary Maven packages are staged here:
> https://repository.apache.org/content/repositories/orgapacheopenoffice-
> 1019/
>
> I'm signing with a new 4096 bit key I recently added to KEYS.
>
[orcmid]
I forgot to ask this when you mentioned the new key before.
Carl, is the fingerprint of this new key added to your account information at id.apache.org?
I see only one entry for cmarcum at <https://people.apache.org/keys/committer/> and that
ASF ID: cmarcum
LDAP PGP key: 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
pub 2048R/CED46810 2011-07-04 Carl Marcum <cm...@apache.org>
Key fingerprint = 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
uid Carl Marcum <ca...@codebuilders.net>
sub 2048R/3175CD6A 2011-07-04
is for your older 2048-bit key. (Note that you can have any number of key signatures in your account record and you should probably not remove any that have been used in signing releases or for any other situation where confirmation is needed that the key is one of yous as an ASF committer.)
The committer keys file is automatically updated from PGP key signatures and will reflect countersignatures on your key (circle of trust attestations). If the key is ever revoked for any reason, that will be discoverable there too unless the fingerprint or apache account are removed. (Of course, you must publish your new 4069-bit public key to a PGP key server for this to work.)
As far as I know, public keys in release-archive KEYS files are not automatically synchronized in that manner, although the one associated with projects is, such as the one at
<https://people.apache.org/keys/group/openoffice.asc>. This should *not* be used as a release KEYS though. See <https://people.apache.org/keys/> for details.
What is needed in KEYS files for authenticating a release and stored in the mirror directories is always cumulative, so any signature you have used to sign a release (candidate) needs to be in the release-associated KEYS file. It is nice to use the
<https://people.apache.org/keys/committer/>-accessed version of the key in our KEYS file because that one has the Useful descriptive information as shown for your 2048-bit key, above.
Note that keys that have not been used in signing release candidates do not need to be in release-associated KEYS files and it is good practice (and an useful precaution) to keep it that way.
PS: None of this is a release blocker. But you can get the dots connected before the [VOTE] concludes. I assume there is no further reason to touch the KEYS file that you have already updated.
- Dennis
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
RE: [DISCUSS][VOTE] Release Groovy UNO Extension 0.1.4
Posted by "Dennis E. Hamilton" <or...@apache.org>.
> -----Original Message-----
> From: Carl Marcum [mailto:cmarcum@apache.org]
> Sent: Tuesday, April 5, 2016 15:08
> To: dev@openoffice.apache.org
> Subject: Re: [DISCUSS][VOTE] Release Groovy UNO Extension 0.1.4
>
> On 04/05/2016 01:36 PM, Dennis E. Hamilton wrote:
> > Side question.
> >
> >> -----Original Message-----
> >> From: Carl Marcum [mailto:cmarcum@apache.org]
> >> Sent: Tuesday, April 5, 2016 04:07
> >> To: dev@openoffice.apache.org
> >> Subject: [VOTE] Release Groovy UNO Extension 0.1.4
[ ... ]
> >> I'm signing with a new 4096 bit key I recently added to KEYS.
> >>
> > [orcmid]
> >
> > I forgot to ask this when you mentioned the new key before.
> >
> > Carl, is the fingerprint of this new key added to your account
> information at id.apache.org?
> >
> > I see only one entry for cmarcum at
> <https://people.apache.org/keys/committer/> and that
> >
> > ASF ID: cmarcum
> > LDAP PGP key: 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
> >
> > pub 2048R/CED46810 2011-07-04 Carl Marcum <cm...@apache.org>
> > Key fingerprint = 8204 E089 64AC 9ABA 7472 A123 669C FA03
> CED4 6810
> > uid Carl Marcum
> <ca...@codebuilders.net>
> > sub 2048R/3175CD6A 2011-07-04
> >
> > is for your older 2048-bit key. (Note that you can have any number of
> key signatures in your account record and you should probably not remove
> any that have been used in signing releases or for any other situation
> where confirmation is needed that the key is one of yous as an ASF
> committer.)
> >
> > The committer keys file is automatically updated from PGP key
> signatures and will reflect countersignatures on your key (circle of
> trust attestations). If the key is ever revoked for any reason, that
> will be discoverable there too unless the fingerprint or apache account
> are removed. (Of course, you must publish your new 4069-bit public key
> to a PGP key server for this to work.)
> >
> > As far as I know, public keys in release-archive KEYS files are not
> automatically synchronized in that manner, although the one associated
> with projects is, such as the one at
> > <https://people.apache.org/keys/group/openoffice.asc>. This should
> *not* be used as a release KEYS though. See
> <https://people.apache.org/keys/> for details.
> >
> > What is needed in KEYS files for authenticating a release and stored
> in the mirror directories is always cumulative, so any signature you
> have used to sign a release (candidate) needs to be in the release-
> associated KEYS file. It is nice to use the
> > <https://people.apache.org/keys/committer/>-accessed version of the
> key in our KEYS file because that one has the Useful descriptive
> information as shown for your 2048-bit key, above.
> >
> > Note that keys that have not been used in signing release candidates
> do not need to be in release-associated KEYS files and it is good
> practice (and an useful precaution) to keep it that way.
> >
> > PS: None of this is a release blocker. But you can get the dots
> connected before the [VOTE] concludes. I assume there is no further
> reason to touch the KEYS file that you have already updated.
> >
> > - Dennis
> >
>
> Hi Dennis,
>
> Thank you for the reminder.
>
> My new key was uploaded to public servers. ex.
> https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF1DA7E3B9553BF9A
>
> Before the vote I manually added it to
> http://www.apache.org/dist/openoffice/KEYS
>
> I have just now added the new fingerprint to my profile at
> https://id.apache.org/
> for reference it is:
> pub 4096R/9553BF9A 2016-04-02
> Key fingerprint = 813A C3C2 48B3 F26F B5D1 EB32 F1DA 7E3B 9553
> BF9A
> uid Carl Marcum (CODE SIGNING KEY) <cm...@apache.org>
> uid Carl Marcum (CODE SIGNING KEY)
> <ca...@codebuilders.net>
> sub 4096R/D8524D84 2016-04-02
>
> Is there now something that needs fixed?
[orcmid]
I think you've covered all the bases, Carl.
>
> Thanks,
> Carl
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: [DISCUSS][VOTE] Release Groovy UNO Extension 0.1.4
Posted by Carl Marcum <cm...@apache.org>.
On 04/05/2016 01:36 PM, Dennis E. Hamilton wrote:
> Side question.
>
>> -----Original Message-----
>> From: Carl Marcum [mailto:cmarcum@apache.org]
>> Sent: Tuesday, April 5, 2016 04:07
>> To: dev@openoffice.apache.org
>> Subject: [VOTE] Release Groovy UNO Extension 0.1.4
>>
>> This is for a source release of Groovy UNO Extension 0.1.4 from Apache
>> OpenOffice
>> and binaries made available from Maven via Apache Nexus.
>>
>> Source packages for RC1 are available at:
>> https://dist.apache.org/repos/dist/dev/openoffice/devtools/
>> and the reference revision is r1737622.
>>
>> Binary Maven packages are staged here:
>> https://repository.apache.org/content/repositories/orgapacheopenoffice-
>> 1019/
>>
>> I'm signing with a new 4096 bit key I recently added to KEYS.
>>
> [orcmid]
>
> I forgot to ask this when you mentioned the new key before.
>
> Carl, is the fingerprint of this new key added to your account information at id.apache.org?
>
> I see only one entry for cmarcum at <https://people.apache.org/keys/committer/> and that
>
> ASF ID: cmarcum
> LDAP PGP key: 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
>
> pub 2048R/CED46810 2011-07-04 Carl Marcum <cm...@apache.org>
> Key fingerprint = 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
> uid Carl Marcum <ca...@codebuilders.net>
> sub 2048R/3175CD6A 2011-07-04
>
> is for your older 2048-bit key. (Note that you can have any number of key signatures in your account record and you should probably not remove any that have been used in signing releases or for any other situation where confirmation is needed that the key is one of yous as an ASF committer.)
>
> The committer keys file is automatically updated from PGP key signatures and will reflect countersignatures on your key (circle of trust attestations). If the key is ever revoked for any reason, that will be discoverable there too unless the fingerprint or apache account are removed. (Of course, you must publish your new 4069-bit public key to a PGP key server for this to work.)
>
> As far as I know, public keys in release-archive KEYS files are not automatically synchronized in that manner, although the one associated with projects is, such as the one at
> <https://people.apache.org/keys/group/openoffice.asc>. This should *not* be used as a release KEYS though. See <https://people.apache.org/keys/> for details.
>
> What is needed in KEYS files for authenticating a release and stored in the mirror directories is always cumulative, so any signature you have used to sign a release (candidate) needs to be in the release-associated KEYS file. It is nice to use the
> <https://people.apache.org/keys/committer/>-accessed version of the key in our KEYS file because that one has the Useful descriptive information as shown for your 2048-bit key, above.
>
> Note that keys that have not been used in signing release candidates do not need to be in release-associated KEYS files and it is good practice (and an useful precaution) to keep it that way.
>
> PS: None of this is a release blocker. But you can get the dots connected before the [VOTE] concludes. I assume there is no further reason to touch the KEYS file that you have already updated.
>
> - Dennis
>
Hi Dennis,
Thank you for the reminder.
My new key was uploaded to public servers. ex.
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF1DA7E3B9553BF9A
Before the vote I manually added it to
http://www.apache.org/dist/openoffice/KEYS
I have just now added the new fingerprint to my profile at
https://id.apache.org/
for reference it is:
pub 4096R/9553BF9A 2016-04-02
Key fingerprint = 813A C3C2 48B3 F26F B5D1 EB32 F1DA 7E3B 9553 BF9A
uid Carl Marcum (CODE SIGNING KEY) <cm...@apache.org>
uid Carl Marcum (CODE SIGNING KEY)
<ca...@codebuilders.net>
sub 4096R/D8524D84 2016-04-02
Is there now something that needs fixed?
Thanks,
Carl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org